In the next stage of the attack, a ransomware program called "Cryptowall," a relative of the infamous Cryptolocker malware, is installed. It encrypts the user's files, demanding a ransom. In another sign of the operation's sophistication, the website where users can pay the ransom is a hidden website that uses The Onion Router, or the TOR network.
To navigate to a TOR hidden website, a user must have TOR installed, which Cryptowall helpfully provides instructions for how to install. Those who delay paying the ransom find it increases as time passes.
Because of the use of TOR and the technically complex attack chain, Cisco hasn't yet been able to identify a group behind the attacks.
Gundert said it is likely that several groups or people with different skills — such as malvertising, traffic redirection, exploit writing and ransomware campaigns — are working together.
"You could have a threat actor putting together all of these pieces on their own, but there are so many different specialties involved in this attack chain," he said.
Sign up for Computerworld eNewsletters.